yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1495472] [NEW] Horizon forbids user access to identity users/groups with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Paul Karikh <pkarikh@xxxxxxxxxxxx>
Date: Mon, 14 Sep 2015 11:26:36 -0000
Reply-to: Bug 1495472 <1495472@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When Horizon is setted up with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT =
True, user will not be to access identity/users and identity/groups with
Unauthorized error, which in turn makes Horizon logout user.

Horizon fills domain name before sending request to Keystone the following way:
domain_context = self.request.session.get('domain_context', None)

But there is no `domain_context variable` in the session, so will be set
to None. And domain=None will be send to the keystone with line

users = api.keystone.user_list(self.request, domain=domain_context)

which is present in all identity dashboard views (users, projects, groups, domains and NOT roles).
For example: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/views.py#L50

It look like if we change the code to
users = api.keystone.user_list(self.request,domain=self.request.user.user_domain_name) everything will be ok.

It is strange that identity/users does not work without correct domain, and identity/progects do, because they both send request to keystone without correctly setted domain.
And it looks like this problem only occurs with keystone v3 (there is no domains in the v2 keystone, so no domain - no problems).

After pushing "SetDomainContext" button in the identity/domains,
everything works fine.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1495472

Title:
  Horizon forbids user access to identity users/groups with
  OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  When Horizon is setted up with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
  = True, user will not be to access identity/users and identity/groups
  with Unauthorized error, which in turn makes Horizon logout user.

  Horizon fills domain name before sending request to Keystone the following way:
  domain_context = self.request.session.get('domain_context', None)

  But there is no `domain_context variable` in the session, so will be
  set to None. And domain=None will be send to the keystone with line

  users = api.keystone.user_list(self.request, domain=domain_context)

  which is present in all identity dashboard views (users, projects, groups, domains and NOT roles).
  For example: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/views.py#L50

  It look like if we change the code to
  users = api.keystone.user_list(self.request,domain=self.request.user.user_domain_name) everything will be ok.

  It is strange that identity/users does not work without correct domain, and identity/progects do, because they both send request to keystone without correctly setted domain.
  And it looks like this problem only occurs with keystone v3 (there is no domains in the v2 keystone, so no domain - no problems).

  After pushing "SetDomainContext" button in the identity/domains,
  everything works fine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1495472/+subscriptions